From 2dda3a961921534bec5df1dfb039c47ade0ff5b1 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Mon, 10 Jun 2013 14:13:28 -0400
Subject: Add LDAP search patch from
 http://forum.pfsense.org/index.php/topic,59246.0.html

---
 config/squidGuard/squidguard.inc              |  6 +++
 config/squidGuard/squidguard.xml              | 58 ++++++++++++++++++++++++++-
 config/squidGuard/squidguard_acl.xml          |  5 ++-
 config/squidGuard/squidguard_configurator.inc | 56 ++++++++++++++++++++------
 4 files changed, 110 insertions(+), 15 deletions(-)

(limited to 'config')

diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc
index 1ea1b5a5..d58dfb79 100644
--- a/config/squidGuard/squidguard.inc
+++ b/config/squidGuard/squidguard.inc
@@ -979,6 +979,12 @@ function convert_pfxml_to_sgxml() {
 
     $sgxml[F_LOGDIR]           = SQUIDGUARD_LOGDIR;
     $sgxml[F_DBHOME]           = SQUIDGUARD_DBHOME;
+    $sgxml[F_LDAPENABLE]       = $pfxml['ldap_enable'];
+    $sgxml[F_LDAPBINDDN]       = $pfxml['ldapbinddn'];
+    $sgxml[F_LDAPBINDPASS]     = $pfxml['ldapbindpass'];
+    $sgxml[F_LDAPVERSION]      = $pfxml['ldapversion'];
+    $sgxml[F_STRIPNTDOMAIN]    = $pfxml['stripntdomain'];
+    $sgxml[F_STRIPREALM]       = $pfxml['striprealm'];
     $sgxml[F_BINPATH]          = SQUIDGUARD_BINPATH;
     $sgxml[F_WORKDIR]          = SQUIDGUARD_WORKDIR;
     $sgxml[F_SGCONF_XML]       = SQUIDGUARD_WORKDIR . SQUIDGUARD_CONFXML;
diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml
index 21356e1c..e1fb3d41 100644
--- a/config/squidGuard/squidguard.xml
+++ b/config/squidGuard/squidguard.xml
@@ -122,7 +122,61 @@
                         <description><![CDATA[Check this option to enable squidGuard]]></description>
                         <type>checkbox</type>
                 </field>
-				<field>
+                <field>
+                        <name>LDAP Options</name>
+                        <type>listtopic</type>
+                </field>
+                <field>
+                        <fielddescr>Enable LDAP Filter</fielddescr>
+                        <fieldname>ldap_enable</fieldname>
+                        <description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description>
+                        <type>checkbox</type>
+                        <enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields>
+                </field>
+                <field>
+                        <fielddescr>LDAP DN</fielddescr>
+                        <fieldname>ldapbinddn</fieldname>
+                        <description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description>
+                        <type>input</type>
+                        <size>60</size>
+                </field>
+                <field>
+                        <fielddescr>LDAP DN Password</fielddescr>
+                        <fieldname>ldapbindpass</fieldname>
+                        <description><![CDATA[Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z\/][a-zA-Z0-9/_\-\.\/\:\%\+\?=&]]]></description>
+                        <type>password</type>
+                </field>
+                <field>
+                        <fielddescr>Strip NT domain name</fielddescr>
+                        <fieldname>stripntdomain</fieldname>
+                        <description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description>
+                        <type>checkbox</type>
+                        <default_value>on</default_value>
+                </field>
+                <field>
+                        <fielddescr>Strip Kerberos Realm</fielddescr>
+                        <fieldname>striprealm</fieldname>
+                        <description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description>
+                        <type>checkbox</type>
+                        <default_value>on</default_value>
+                </field>
+                <field>
+                        <fielddescr>LDAP Version</fielddescr>
+                        <fieldname>ldapversion</fieldname>
+                        <type>select</type>
+                        <default_value>3</default_value>
+                        <options>
+                                <option>
+                                        <name>Version 2</name>
+                                        <value>2</value>
+                                </option>
+                                <option>
+                                        <name>Version 3</name>
+                                        <value>3</value>
+                                </option>
+                        </options>
+                </field>
+                <field>
                         <name>Logging options</name>
                         <type>listtopic</type>
                 </field>
@@ -144,7 +198,7 @@
                         <description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description>
                         <type>checkbox</type>
                 </field>
-				<field>
+		<field>
                         <name>Miscellaneous</name>
                         <type>listtopic</type>
                 </field>
diff --git a/config/squidGuard/squidguard_acl.xml b/config/squidGuard/squidguard_acl.xml
index 07ecd71b..243576e8 100644
--- a/config/squidGuard/squidguard_acl.xml
+++ b/config/squidGuard/squidguard_acl.xml
@@ -106,7 +106,10 @@
 								<b>Example:</b><br>
 								<b>IP:</b> 192.168.0.1 - <b>Subnet:</b> 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - <b>IP-Range:</b> 192.168.1.1-192.168.1.10<br>
 								<b>Domain:</b> foo.bar matches foo.bar or *.foo.bar<br>
-								<b>Username:</b> 'user1'
+								<b>Username:</b> 'user1' <br>
+                                                                <b>Ldap search (Ldap filter must be enabled in General Settings):</b> <br>
+                                                                ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))<br>
+                                                                <i>Attention: these line don't have break line, all on one line</i>
 						]]></description>
 						<type>textarea</type>
 						<cols>65</cols>
diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc
index b900a477..ab44ae8d 100644
--- a/config/squidGuard/squidguard_configurator.inc
+++ b/config/squidGuard/squidguard_configurator.inc
@@ -244,6 +244,12 @@ define('F_SQUIDGUARD',          'squidGuard');
 define('F_LOGDIR',              'logdir');
 define('F_DBHOME',              'dbhome');
 define('F_WORKDIR',             'workdir');
+define('F_LDAPENABLE',          'ldap_enable');
+define('F_LDAPBINDDN',          'ldapbinddn');
+define('F_LDAPBINDPASS',        'ldapbindpass');
+define('F_LDAPVERSION',         'ldapversion');
+define('F_STRIPNTDOMAIN',       'stripntdomain');
+define('F_STRIPREALM',          'striprealm');
 define('F_BINPATH',             'binpath');
 define('F_PROCCESSCOUNT',       'process_count');
 define('F_SQUIDCONFIGFILE',     'squid_configfile');
@@ -331,6 +337,7 @@ function sg_init($init = '')
         $squidguard_config[F_BINPATH]         = SQUIDGUARD_BINPATH;
         $squidguard_config[F_SQUIDCONFIGFILE] = SQUID_CONFIGFILE;
         $squidguard_config[F_PROCCESSCOUNT]   = REDIRECTOR_PROCESS_COUNT;
+        
     } else {
         # copy config from $init
         foreach($init as $key => $in)
@@ -848,6 +855,15 @@ function sg_create_config()
     $sgconf[] = CONFIG_SG_HEADER;
     $sgconf[] = "logdir {$squidguard_config[F_LOGDIR]}";
     $sgconf[] = "dbhome {$squidguard_config[F_DBHOME]}";
+    if ( $squidguard_config[F_LDAPENABLE] == 'on' ) {
+        $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}";
+        $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}";
+        $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}";
+        if ( $squidguard_config[F_STRIPNTDOMAIN] )
+            $sgconf[] = "stripntdomain true";
+        if ( $squidguard_config[F_STRIPREALM] )
+            $sgconf[] = "striprealm true";
+    }
 
     # --- Times ---
     if ($squidguard_config[F_TIMES]) {
@@ -879,13 +895,17 @@ function sg_create_config()
             $sg_tag->set("src", $src[F_NAME], "", $src[F_DESCRIPTION]);
 
             # separate IP, domains, usernames
-            $tsrc = explode(" ", trim($src[F_SOURCE]));
-            foreach($tsrc as $sr) {
-                    $sr = trim($sr);
-                    if     (empty($sr))           continue;
-                    if     (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip     $sr";
-                    elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr";
-                    elseif (is_username($sr))     $sg_tag->items[] = "user   " . str_replace("'", "", $sr);
+            if (strpos(trim($src[F_SOURCE]), 'ldapusersearch') === false) {
+                $tsrc = explode(" ", trim($src[F_SOURCE]));
+                foreach($tsrc as $sr) {
+                        $sr = trim($sr);
+                        if     (empty($sr))           continue;
+                        if     (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip     $sr";
+                        elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr";
+                        elseif (is_username($sr))     $sg_tag->items[] = "user   " . str_replace("'", "", $sr);
+                }
+            } else {
+                $sg_tag->items[] = trim($src[F_SOURCE]);
             }
 
             if ($squidguard_config[F_ENABLELOG] == 'on' ) {
@@ -1172,6 +1192,16 @@ function sg_create_simple_config($blk_dbhome, $blk_destlist, $redirect_to = "404
     # init section
     $sgconf[] = "logdir $logdir";
     $sgconf[] = "dbhome $dbhome";
+    if ( $squidguard_config[F_LDAPENABLE] == 'on' ) {
+        $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}";
+        $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}";
+        $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}";
+        if ( $squidguard_config[F_STRIPNTDOMAIN] )
+            $sgconf[] = "stripntdomain true";
+        if ( $squidguard_config[F_STRIPREALM] )
+            $sgconf[] = "striprealm true";
+    }
+
     $sgconf[] = "";
 
     # destination section
@@ -1755,11 +1785,13 @@ function sg_check_src($sgx, $input_errors)
 
     # source may be as one ('source') field or as two ('ip' and 'domain') fields
     $src = (isset($sgx[F_SOURCE])) ? $sgx[F_SOURCE] : $sgx[F_IP] . " " . $sgx[F_DOMAINS];
-    $src = explode(" ", $src);
-    foreach ($src as $s_item) {
-        if ($s_item) {
-            if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item))
-                $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'.";
+    if (strpos($sgx[F_SOURCE], 'ldapusersearch') === false) {
+        $src = explode(" ", $src);
+        foreach ($src as $s_item) {
+                if ($s_item) {
+                        if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item) and (strpos($s_item, 'ldapusersearch') !== false))
+                                $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'.";
+                }
         }
     }
 
-- 
cgit v1.2.3